Cryptographic Hash Function

Cryptographic Hash Function Definition

Photo of formulas and pictures on a blackboard
© Yagi Studio / Digital Vision / Getty Images

What is a Cryptographic Hash Function?

A cryptographic hash function is a kind of algorithm that can be run on a piece of data, like an individual file or a password, producing a value called a checksum.

The main use of a cryptographic hash function is to verify the authenticity of a piece of data. Two files can be assured to be identical only if the checksums generated from each file, using the same cryptographic hash function, are identical.

Some commonly used cryptographic hash functions include MD5 and SHA-1, though many others also exist.

Note: Cryptographic hash functions are often just referred to as hash functions for short, but that's not technically correct. A hash function is a more generic term that's usually used to encompass cryptographic hash functions along with other sorts of algorithms like cyclic redundancy checks.

Cryptographic Hash Functions: A Use Case

Let's say you download the latest version of the Firefox browser. For whatever reason, you needed to download it from a site other than Mozilla's. Not being hosted on a site you've learned to trust, you'd like to make sure that the installation file you just downloaded is the exact same thing Mozilla offers.

Using a checksum calculator, you compute a checksum using a particular cryptographic hash function and then compare that to the one published on Mozilla's site.

If they're equal, then you can be reasonably sure that the download you have is the one Mozilla intended you to have.

See What is a Checksum? for more on these special calculators, plus more examples on using checksums to make sure files you download really are what you expected them to be.

Can Cryptographic Hash Functions Be Reversed?

Cryptographic hash functions are designed to prevent the ability to reverse the checksums they create back into the original texts.

 However, even though they are virtually impossible to reverse, it doesn't mean they're 100% guaranteed to safeguard data.

Something called a rainbow table can be used to quickly figure out the plaintext of a checksum. Rainbow tables are basically dictionaries that list out thousands, millions, or even billions of these alongside their corresponding plaintext value.

While this isn't technically reversing the cryptographic hash algorithm, it might as well be since it's so simple to do. In reality, since no rainbow table can list out every possible checksum in existence, they're usually only "helpful" for simple phrases... like weak passwords.

Passwords and Cryptographic Hash Functions

Similar to a rainbow table is how a database saves user passwords. When your password is entered, the checksum is generated and compared with the one on record with your username. You're then granted access if the two are identical.

Given that a cryptographic hash function produces a non-reversable checksum, does that mean you can make your password as simple as 12345, instead of 12@34$5, simply because the checksums themselves can't be understood? It definitely does not, and here's why...

As you can see, these two passwords are both impossible to decipher just by looking just at the checksum:

MD5 for 12345: 827ccb0eea8a706c4c34a16891f84e7b

MD5 for 12@34$5: a4d3cc004f487b18b2ccd4853053818b

So, at first glance you may think that it's absolutely fine to use either of these passwords. This is definitely true if an attacker tried figuring out your password by guessing the MD5 checksum (which nobody does), but not true if a brute force or dictionary attack is performed (which is a common tactic).

A brute force attack is when multiple random stabs are taken at guessing a password. In this case, it would be very easy to guess "12345," but pretty difficult to randomly figure out the other one.

A dictionary attack is similar in that the attacker can try every word, number, or phrase from a list of common (and lesser commonly used) passwords, "12345" definitely being one that would be tried.

So, even though cryptographic hash functions produce difficult to impossible-to-guess checksums, you should still use a complex password for all your online and local user accounts.